-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.0436
                  Red Hat Data Grid 8.1.1 security update
                              9 February 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Red Hat Data Grid 8.1.1
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
                   Unauthorised Access             -- Existing Account      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-26217 CVE-2020-25711 CVE-2020-25644

Reference:         ESB-2021.0381
                   ESB-2021.0328
                   ESB-2020.4430
                   ESB-2020.4413

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2021:0433

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat Data Grid 8.1.1 security update
Advisory ID:       RHSA-2021:0433-01
Product:           Red Hat JBoss Data Grid
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:0433
Issue date:        2021-02-08
CVE Names:         CVE-2020-25644 CVE-2020-25711 CVE-2020-26217 
=====================================================================

1. Summary:

A security update for Red Hat Data Grid is now available.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat Data Grid is a distributed, in-memory data store.

This release of Red Hat Data Grid 8.1.1 serves as a replacement for Red Hat
Data Grid 8.1.0, and includes bug fixes and enhancements, which are
documented in the Release Notes document linked to in the References.

Security Fix(es):

* wildfly-openssl: memory leak per HTTP session creation in WildFly OpenSSL
(CVE-2020-25644)

* XStream: remote code execution due to insecure XML deserialization when
relying on blocklists (CVE-2020-26217)

* infinispan: authorization check missing for server management operations
(CVE-2020-25711)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Refer to the Data Grid 8.1 Upgrade Guide for instructions on upgrading to
this version.

The References section of this erratum contains a download link (you must
log in to download the update).

4. Bugs fixed (https://bugzilla.redhat.com/):

1885485 - CVE-2020-25644 wildfly-openssl: memory leak per HTTP session creation in WildFly OpenSSL
1897618 - CVE-2020-25711 infinispan: authorization check missing for server management operations
1898907 - CVE-2020-26217 XStream: remote code execution due to insecure XML deserialization when relying on blocklists

5. References:

https://access.redhat.com/security/cve/CVE-2020-25644
https://access.redhat.com/security/cve/CVE-2020-25711
https://access.redhat.com/security/cve/CVE-2020-26217
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.grid&downloadType=securityPatches&version=8.1
https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.1/html/upgrading_data_grid/

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYCE08tzjgjWX9erEAQiczA//cBXSGydb50uqm54n7mRr650w/tX/KeGy
IFa++dkIoJP5aF+nkK46Z+WqSpO+TnPcq4QgOHT0z2211J8smOk1UwRzarogrR+I
WkfzO4+r/2oAYJHF9vB8wlYbnFIqaOqCu3MwO+1a58A2ECOZXAKs4EivEMdcvp1+
7VbnMU2GsgZUvVMsRPRitTJGkkL14UwYP/MZCHQRfdbrbOopjjSYCUt1hzpFmPIu
4tJCvkArKIHksXdBtbb+Y+PFop05hySRDp8ed1bJPcD8+6Lv8ezVh/i1YMdBFJ7F
Nq6T7g3InpueJflvfLooZ6Nlf8T+Ar8Dsv6e+6kmSpUQPxgAZJEeNSZBdvbRwVIE
O8YqK4nWxxi5R1YehjuR4ax42D3rv+ZWuL8pmr90uDMcmpCp4uM8SEfmEkbhyeVQ
UMYmv9oJW2oayvGlKvCkdFoLcN6kdkLmHIAPqdh8QnyuG6GlAxozsJ+566k4gWgI
HYLY62IOBHbsBE9dzCIqBSk3/+GvGmnzdEQd+R6a/xRmQ83In2J6BzGbZkzkOvUj
4rqS74Q2YV+hG4PRtlRO9EDolYOLARMW1qJQrWtbwdgXDt9mjPEPXw9FoHpUYitz
c0wPDE5hbdp8uwarYP7SuHXLRrCBedHx0reGQyHzBtrJtfqRPWVKd43jeUkUt22R
R/ZChTj5mZQ=
=m0Gn
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYCIOseNLKJtyKPYoAQjoKA/9ExJiLBnwmYFvXsazl2JyXAEHvUmBkVg2
C71J8+5UE8PvgJnFXDkd4PU39LT/ME4EPKtW6lfG3t3TJ1tz/l7b3SdfqMER+LSz
6Y4R+fndbt3yXw7r3Dl5Jpy0hjsrG6dQ4KHk5kv8vnqubGx6jwwmNvgdEbnxAMEe
HO4LxEFxEGOjJTzuNy+ShzLN90YX6SD0vmfoqsNmIKtjH+OPtTpq0VP2Zzw1gEEt
QLW2GoEv4c19R3w9cpJrqcPtHkPm4Dvo4UGjYtylc5NAs0AJDt0ExTKJ3wJtaYy3
hqwlegPY77Th4xGZ07U1CSLrpxHh1QuMEiyPy8WapzsQMZfRL7QUxM5ELMrHHZ0J
y43mtMbyezJ2kinTaR0UdH4tDbqHB390j68QAMskPF9z1GJ0QwryZGlMuf6TBZPQ
kvsTXd8rxMH9XsTPIGXCehK1/C9h2Ja3K9eVsGd51RdGcS3nqxlcipVs7tqSDqAB
NFmpi9A2XPmDVRW+BHIEzz02Cyvwpg/XkLx1UO9BX317dwrxqijtbQ9NR5d48yMv
zc0fDXVYQQunuOuklqXsKxVS9t5NZixuCJXGD11IBKdTQZ85zXhF887bavsMVlEs
UiIeM7ifHX9zxHW95Y/bpiDAkYm9VnaJnZbU1VlepJ7zEgQBRWZxmFyyWIEDGxG5
Wvict1iPp8Q=
=IFjU
-----END PGP SIGNATURE-----